Using Service-Linked Roles for
ElastiCache

Amazon ElastiCache uses AWS Identity and Access Management (IAM) service-linked roles.
A service-linked role is a unique type of IAM role that is linked directly to
an AWS service, such as ElastiCache.
ElastiCache service-linked roles are predefined by ElastiCache and include all the
permissions that the service requires to call AWS services on behalf of your
clusters.

A service-linked role makes setting up ElastiCache easier because you don’t have to
manually add the necessary permissions. The roles already exist within your AWS account
but
are linked to ElastiCache use cases and have predefined permissions. Only ElastiCache
can
assume these roles, and only these roles can use the predefined permissions policy.
You can
delete the roles only after first deleting their related resources. This protects
your
ElastiCache resources because you can't inadvertently remove necessary permissions
to access
the resources.

For information about other services that support service-linked roles, see AWS Services That Work with IAM and look for the services that
have Yes in the Service-Linked
Role column. Choose a Yes with a link to view the
service-linked role documentation for that service.

In the navigation pane of the IAM console, choose Roles. Then
choose Create new role.

Expand the AWS service-linked role section, and then select
the service that you want to allow to assume this new service-linked role.

Next to the AWSServiceRoleForElastiCache service-linked role, choose
Select.

For Role name, type a suffix to add to the service-linked role
default name. This suffix helps you identify the purpose of this role. Role names
must
be unique within your AWS account. They are not distinguished by case. For example,
you cannot create roles named both
<service-linked-role-name>_SAMPLE and
<service-linked-role-name>_sample. Because various entities
might reference the role, you cannot edit the name of the role after it has been
created.

(Optional) For Role description, edit the description for the
new service-linked role.

Review the role and then choose Create role.

Creating a Service-Linked Role (IAM CLI)

You can use IAM operations from the AWS Command Line Interface to create a service-linked
role with the
trust policy and inline policies that the service needs to assume the role.

Editing the Description of a Service-Linked Role for ElastiCache

ElastiCache does not allow you to edit the AWSServiceRoleForElastiCache service-linked
role. After you
create a service-linked role, you cannot change the name of the role because various
entities
might reference the role. However, you can edit the description of the role using
IAM.

Editing a Service-Linked Role Description (IAM Console)

You can use the IAM console to edit a service-linked role description.

To edit the description of a service-linked role (console)

In the navigation pane of the IAM console, choose
Roles.

Choose the name of the role to modify.

To the far right of Role description, choose
Edit.

Type a new description in the box and choose Save.

Editing a Service-Linked Role Description (IAM CLI)

You can use IAM operations from the AWS Command Line Interface to edit a service-linked
role description.

To change the description of a service-linked role (CLI)

(Optional) To view the current description for a role, use the AWS CLI for IAM operation
get-role.

Deleting a Service-Linked Role for ElastiCache

If you no longer need to use a feature or service that requires a service-linked role,
we
recommend that you delete that role. That way you don’t have an unused entity that
is not
actively monitored or maintained. However, you must clean up your service-linked role
before
you can delete it.

Amazon ElastiCache does not delete the service-linked role for you.

Cleaning Up a Service-Linked Role

Before you can use IAM to delete a service-linked role, you must first confirm that
the role has no resources, clusters or replication groups, associated with the role.

To check whether the service-linked role has an active session in the IAM console

In the navigation pane of the IAM console, choose Roles. Then
select the check box next to the role name that you want to delete, not the name or
row
itself.

For Role actions at the top of the page, choose
Delete role.

In the confirmation dialog box, review the service last accessed data, which shows
when each of the selected roles last accessed an AWS service. This helps you to
confirm whether the role is currently active. If you want to proceed, choose
Yes, Delete to submit the service-linked role for
deletion.

Watch the IAM console notifications to monitor the progress of the service-linked
role deletion. Because the IAM service-linked role deletion is asynchronous, after
you
submit the role for deletion, the deletion task can succeed or fail. If the task fails,
you can choose View details or View Resources
from the notifications to learn why the deletion failed.

Deleting a Service-Linked Role (IAM CLI)

You can use IAM operations from the AWS Command Line Interface to delete a service-linked
role.

To delete a service-linked role (CLI)

If you don't know the name of the service-linked role that you want to delete, type
the following operation to list the roles and their Amazon Resource Names (ARNs) in
your
account:

Use the role name, not the ARN, to refer to roles with the CLI operations. For
example, if a role has the following ARN:
arn:aws:iam::123456789012:role/myrole, you refer to the role as
myrole.

Because a service-linked role cannot be deleted if it is being used or has
associated resources, you must submit a deletion request. That request can be denied
if
these conditions are not met. You must capture the deletion-task-id from
the response to check the status of the deletion task. Type the following to
submit a service-linked role deletion request:

The status of the deletion task can be NOT_STARTED,
IN_PROGRESS, SUCCEEDED, or FAILED. If the
deletion fails, the call returns the reason that it failed so that you can
troubleshoot.

Deleting a Service-Linked Role (IAM API)

You can use the IAM API to delete a service-linked role.

To delete a service-linked role (API)

To submit a deletion request for a service-linked roll, call DeleteServiceLinkedRole.
In the request, specify a role name.

Because a service-linked role cannot be deleted if it is being used or has
associated resources, you must submit a deletion request. That request can be denied
if
these conditions are not met. You must capture the DeletionTaskId from the
response to check the status of the deletion task.